California's new data and privacy rights in effect as of today - Microsoft pledges US-wide application... + details of proposed CRPA

[mr moose]

24 minutes ago, Arika S said:

makes me wonder how much a single person generates in terms of targeted ad revenue from their data being sold

Enough to make google what it is today. 

[Delicieuxz]

On 1/1/2020 at 12:39 PM, Delicieuxz said:

Microsoft has posted that they will apply California's new CCPA rules nationwide in the US: Microsoft will honor California’s new privacy rights throughout the United States

 

...

 

So, why might Microsoft be openly supporting CCPA rules and applying them US-wide? It could be a case of 'if you can't beat them, join them - and then twist them in your favour'. After all, Microsoft is the company which coined the phrase "Embrace, extend, and extinguish".

 

 

And it isn't just Microsoft that are trying to get in-front of any new data rights protections: Tech industry titans suddenly love internet privacy rules. Wanna know why? We'll tell you

 

To return to the question of 'why is Microsoft applying California's rule US-wide, according to this source, Microsoft already regards California's new data rights law as de facto national law:

 

Microsoft to apply California privacy rules to all users nationwide

Quote

The move isn't a shocker. Microsoft president Brad Smith told me during a Churchill Club interview that California's law would become the "de facto national privacy law."

 

If that's because Microsoft sees as inevitable future nationwide legislation that will be at least as strong, then willingly applying California's law nationwide right now has the possibility to make Microsoft look responsible with privacy which could generate goodwill from state lawmakers down the road.

 

 

1 hour ago, Arika S said:

makes me wonder how much a single person generates in terms of targeted ad revenue from their data being sold

Stretched-out over enough years (whatever the average number of years is for people to hang onto one copy of Windows), I guess more than Microsoft expected they would make from the traditional selling of copies of Windows.

 

But ad revenue is only one way to make money from data. There are many more. Microsoft mentions they share aggregated user data with their business partners, and the purpose of that sharing could maybe be for anything imaginable.

[mr moose]

12 minutes ago, Delicieuxz said:

 

 

But ad revenue is only one way to make money from data. There are many more. Microsoft mentions they share aggregated user data with their business partners, and the purpose of that sharing could maybe be for anything imaginable.

Could and maybe in one sentence but no definitives?   I heard it could maybe be that FOSS and several torrent services are secretly stealing all your information and selling it to the stonecutters.   

[SpikeSpiegel]

Just now, mr moose said:

Could and maybe in one sentence but no definitives?   I heard it could maybe be that FOSS and several torrent services are secretly stealing all your information and selling it to the stonecutters.   

They should focus on Google.  They spy on everyone more than Microsoft itself.

[Delicieuxz]

1 hour ago, mr moose said:

Could and maybe in one sentence but no definitives?   I heard it could maybe be that FOSS and several torrent services are secretly stealing all your information and selling it to the stonecutters.   

Microsoft only says that they share aggregated data with their partners. They don't inform what the scope of possible purposes the sharing of aggregated data is for.

 

Your scenario of open-source and torrent software maybe stealing personal data and selling it isn't analogous in that you qualify the action of them taking and sharing data as merely a possibly, whereas Microsoft's action of taking and sharing data with their business partners is not mere possibly but is stated to be fact by Microsoft. It's only the scope of purposes for sharing the data that is up for speculation.

[justpoet]

MS has already said in their shareholder info that they intend to increase monetization of already purchased windows users.  So, even if they say they're doing things in a California Responsible way (which they probably found a legal loophole and that's why they want people to just adopt it), they're still going to abuse your data and advertising to you (including inside of Windows itself!).

[mr moose]

3 hours ago, Delicieuxz said:

Microsoft only says that they share aggregated data with their partners. They don't inform what the scope of possible purposes the sharing of aggregated data is for.

 

Your scenario of open-source and torrent software maybe stealing personal data and selling it isn't analogous in that you qualify the action of them taking and sharing data as merely a possibly, whereas Microsoft's action of taking and sharing data with their business partners is not mere possibly but is stated to be fact by Microsoft. It's only the scope of purposes for sharing the data that is up for speculation.

 

It's exactly the same, it's just making accusations of something happening without evidence or reason.  

 

 

[mr moose]

3 hours ago, CalintzJerevinan said:

They should focus on Google.  They spy on everyone more than Microsoft itself.

Probably, My issue with google stems more from not having viable alternatives than it does their data collection.  If I could avoid them then they can collect all the data they want.

[wanderingfool2]

11 hours ago, Bombastinator said:

Which is to say “if we can’t own you go away, but you can’t go away so I guess we own you then”.

 

I really really don’t hope it does that.  The problem is that companies shouldn’t have a right to do that kind of business in the first place.

While I don't agree with how much companies are able to currently do, the really is important to not swing too far in the opposing direction (and make things worse by imposing rules that stifle new competitors).  I personally feel that having an open ended way for customers to prevent any sale of data is doing just that.

10 hours ago, Delicieuxz said:

Yes, business models would likely need to change and they should - background data-theft isn't a legitimate business when companies like Microsoft, Facebook, and Google do it any more than when malware distributors do it. The lawless regime of data-pilfering is like a store-owner, rather than charging set prices for certain products and services, indiscriminately helping themselves to the monetary contents of people's pockets and wallets when they walk into their store - without clear knowledge or consent to it by those who enter their store.

 

It is an invasive thug and criminal business model that has no right to exist. Companies that can't thrive without it shouldn't exist. Companies that have something of value to offer are able to receive market value for their offerings.

 

So, a revamp of the business model is an objective of proper regulation of data-thieves.

The biggest thing I have an issue with is when Microsoft does it, mainly because there is a paid service.  To my point above though, I think swinging too far to the other direction can be equally as bad.  Imagine the startups that can no longer rely on targeted ads...there will be a lot less incentive and money flowing into things.  Guess what, google is "free", and so is gmail...do you remember the days when you were limited to a few MB of storage until google came along...it wasn't the technology that help provide the bump in storage, but rather the fact that companies like google was harvesting data.  It really makes you wonder, if laws were initially in place that prevented them from selling data, do you really think we would have as many free things on the internet

[Bombastinator]

25 minutes ago, mr moose said:

Probably, My issue with google stems more from not having viable alternatives than it does their data collection.  If I could avoid them then they can collect all the data they want.

Collect it is one thing.  Collection doesn’t do anything.  It’s using it that is worrisome.  An amazing amount of information can be gathered from just a little information.  The primary purpose of “loyalty cards” for instance is data collection.  An early example was a british grocery store that implemented them and decided to be helpful by reminding users when they were running out of something.  They did it on tampons and managed to predict a woman’s menstruation cycle.  There was an early attempt by IT security people to encourage loyalty card owners to trade card with each other which wrecked the computer modeling.  So “points” were instituted to prevent it.  Personal data has value, and it’s value is that it can be used to control your behavior.

[Delicieuxz]

36 minutes ago, mr moose said:

It's exactly the same, it's just making accusations of something happening without evidence or reason.  

Huh? Microsoft state they collect data and share it with their business partners. Those are facts.

[mr moose]

58 minutes ago, Delicieuxz said:

Huh? Microsoft state they collect data and share it with their business partners. Those are facts.

And claiming they do something else more nefarious with it is not facts.

[Delicieuxz]

5 minutes ago, mr moose said:

And claiming they do something else more nefarious with it is not facts.

It might not be. But that doesn't relate to what I wrote, which is:

 

"But ad revenue is only one way to make money from data. There are many more. Microsoft mentions they share aggregated user data with their business partners, and the purpose of that sharing could maybe be for anything imaginable."

 

That's a pretty factual statement. I don't know what the scope of purposes Microsoft shares data for as Microsoft hasn't made that information public. Hence, the "could" and "maybe". Those aren't assertions of any specific purposes.

[mr moose]

1 minute ago, Delicieuxz said:

It might not be. But that doesn't relate to what I wrote, which is:

 

"But ad revenue is only one way to make money from data. There are many more. ." Microsoft mentions they share aggregated user data with their business partners, and the purpose of that sharing could maybe be for anything imaginable."

 

That's a pretty factual statement. I don't know what the scope of purposes Microsoft shares data for as Microsoft hasn't made that information public. Hence, the "could" and "maybe". Those aren't assertions of any specific purposes.

 

I know you don't,  even though the privacy policy is pretty straight forward. You can't just assume when anyone (company, FOSS group or individual) doesn't specifically say what they are doing that it means they are doing any manor of things.  As I pointed out before, torrent software companies don't claim a lot of things (like what they do with the data they collect or the malware they include), and just like in this case we can't assume that means they are doing that. 

 

 

 

[Bombastinator]

4 minutes ago, mr moose said:

 

I know you don't,  even though the privacy policy is pretty straight forward. You can't just assume when anyone (company, FOSS group or individual) doesn't specifically say what they are doing that it means they are doing any manor of things.  As I pointed out before, torrent software companies don't claim a lot of things (like what they do with the data they collect or the malware they include), and just like in this case we can't assume that means they are doing that. 

 

 

 

It does mean they are allowed to though, which means assuming they are not is just as incorrect.  The “just trust us not to be evil” model has proven to be highly ineffective dealing with corporations.

[mr moose]

1 hour ago, Bombastinator said:

It does mean they are allowed to though, which means assuming they are not is just as incorrect.  The “just trust us not to be evil” model has proven to be highly ineffective dealing with corporations.

As I said earlier, it sounds stupid when people make exactly the same assumption about Torrent or FOSS based software.  There is nothing inherently different about the people who make their money from advertising in torrent programs that makes them any more trustworthy than MS.  So trying to argue that the insinuations of "they could be doing this or maybe doing that" only apply to MS is dishonest at best.

 

EDIT: also it means they are only allowed to do things that fit within the privacy policy.  That is a public document that is heavily subject to consumer law.

 

[SpikeSpiegel]

Pretty much every company spies on everyone.  Unless you don't own any electronics and don't have a social media account.

[Delicieuxz]

Here's information about how the CCPA defines the "personal information" that its edicts apply to.

 

https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act#Definition_of_personal_data

Quote

"CCPA defines personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers.

 

An additional caveat identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, their name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.

 

It does not consider Publicly Available Information as personal.

 

Key differences between CCPA and the European Union's GDPR include the scope and territorial reach of each, definitions related to protected information, levels of specificity, and an opt-out right for sales of personal information. CCPA differs in definition of personal information from GDPR as in some cases the CCPA only considers data that was provided by a consumer and excludes personal data that was purchased by, or acquired through, third parties. The GDPR does not make that distinction and covers all personal data regardless of source (even in the event of sensitive personal information, this doesn't apply if the information was manifestly made public by the data subject themselves, following the exception under Art.9(2),e). As such the definition in GDPR is much broader than defined in the CCPA."

 

 

Here's the bill's fuller definition of "personal information" and related terms that establish what data the bill regulates. This information is in section 1798.140 of the bill.

 

(o) (1) “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following:
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
(B) Any categories of personal information described in subdivision (e) of Section 1798.80.
(C) Characteristics of protected classifications under California or federal law.
(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(E) Biometric information.
(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
(G) Geolocation data.
(H) Audio, electronic, visual, thermal, olfactory, or similar information.
(I) Professional or employment-related information.
(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
(2) “Personal information” does not include publicly available information. For these purposes, “publicly available” means information that is lawfully made available from federal, state, or local government records, if any conditions associated with such information. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge. Information is not “publicly available” if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained. “Publicly available” does not include consumer information that is deidentified or aggregate consumer information.
(p) “Probabilistic identifier” means the identification of a consumer or a device to a degree of certainty of more probable than not based on any categories of personal information included in, or similar to, the categories enumerated in the definition of personal information.
(q) “Processing” means any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means.
(r) “Pseudonymize” or “Pseudonymization” means the processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer.
(s) “Research” means scientific, systematic study and observation, including basic research or applied research that is in the public interest and that adheres to all other applicable ethics and privacy laws or studies conducted in the public interest in the area of public health. Research with personal information that may have been collected from a consumer in the course of the consumer’s interactions with a business’ service or device for other purposes shall be:
(1) Compatible with the business purpose for which the personal information was collected.
(2) Subsequently pseudonymized and deidentified, or deidentified and in the aggregate, such that the information cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.
(3) Made subject to technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
(4) Subject to business processes that specifically prohibit reidentification of the information.
(5) Made subject to business processes to prevent inadvertent release of deidentified information.
(6) Protected from any reidentification attempts.
(7) Used solely for research purposes that are compatible with the context in which the personal information was collected.
(8) Not be used for any commercial purpose.
(9) Subjected by the business conducting the research to additional security controls limit access to the research data to only those individuals in a business as are necessary to carry out the research purpose.
(t) (1) “Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
(2) For purposes of this title, a business does not sell personal information when:
(A) A consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this title. An intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a third party.
(B) The business uses or shares an identifier for a consumer who has opted out of the sale of the consumer’s personal information for the purposes of alerting third parties that the consumer has opted out of the sale of the consumer’s personal information.
(C) The business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purposes if both of the following conditions are met: services that the service provider performs on the business’ behalf, provided that the service provider also does not sell the personal information.
(i) The business has provided notice that information being used or shared in its terms and conditions consistent with Section 1798.135.
(ii) The service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose.
(D) The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business provided that information is used or shared consistently with Sections 1798.110 and 1798.115. If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer. The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with Section 1798.120. This subparagraph does not authorize a business to make material, retroactive privacy policy changes or make other changes in their privacy policy in a manner that would violate the Unfair and Deceptive Practices Act (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code).
(u) “Service” or “services” means work, labor, and services, including services furnished in connection with the sale or repair of goods.
(v) “Service provider” means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.
(w) “Third party” means a person who is not any of the following:
(1) The business that collects personal information from consumers under this title.
(2) A person to whom the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract:
(A) Prohibits the person receiving the personal information from:
(i) Selling the personal information.
(ii) Retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract.
(iii) Retaining, using, or disclosing the information outside of the direct business relationship between the person and the business.
(B) Includes a certification made by the person receiving the personal information that the person understands the restrictions in subparagraph (A) and will comply with them.
A person covered by paragraph (2) that violates any of the restrictions set forth in this title shall be liable for the violations. A business that discloses personal information to a person covered by paragraph (2) in compliance with paragraph (2) shall not be liable under this title if the person receiving the personal information uses it in violation of the restrictions set forth in this title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the person intends to commit such a violation.
(x) “Unique identifier” or “Unique personal identifier” means a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device. For purposes of this subdivision, “family” means a custodial parent or guardian and any minor children over which the parent or guardian has custody.
(y) “Verifiable consumer request” means a request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, and that the business can reasonably verify, pursuant to regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185 to be the consumer about whom the business has collected personal information. A business is not obligated to provide information to the consumer pursuant to Sections 1798.110 and 1798.115 if the business cannot verify, pursuant this subdivision and regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185, that the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer to act on such consumer’s behalf.

[Bombastinator]

9 hours ago, mr moose said:

As I said earlier, it sounds stupid when people make exactly the same assumption about Torrent or FOSS based software.  There is nothing inherently different about the people who make their money from advertising in torrent programs that makes them any more trustworthy than MS.  So trying to argue that the insinuations of "they could be doing this or maybe doing that" only apply to MS is dishonest at best.

 

EDIT: also it means they are only allowed to do things that fit within the privacy policy.  That is a public document that is heavily subject to consumer law.

 

I agree.  I don’t think the implication that MS is inherently less honest than any other company was intended, merely that it is impossible to arrange for them to be more honest without regulation in place, and even that does not do it if laws are broken.  Laws only make entities more prosecutable.

[Bombastinator]

9 minutes ago, Delicieuxz said:

Of course it applies to other tech giants.

Not just tech giants.  It’s not that limited.  Not by tech and not by giant.

Edited January 4, 2020 by Spotty
snipped quote (don't quote long texts just to reference one sentence)

[Delicieuxz]

3 hours ago, Bombastinator said:

Not just tech giants.  It’s not that limited.  Not by tech and not by giant.

Of course that's true too. However, smaller data transgression are less news-worthy than the larger ones. So, the ones I have reported on typically come from the tech giants. I've reported them as I've seen them. If I've reported more about Microsoft than others it's because there have been more news-worthy topics which have involved Microsoft's practices - which isn't surprising considering all the debacles with Windows 10 where Microsoft broke new ground by making an OS a data-harvesting monster, getting caught by regulators around the world for breaking rules or instigating investigations, being caught lying in their PR about what they collect, etc.

 

Microsoft is mentioned in the OP of this thread because Microsoft said something about the CCPA rules. I didn't see other tech giants making comments of their own when I posted the thread. Moose looks for conspiracies where there are none.

[Bombastinator]

4 minutes ago, Delicieuxz said:

Of course that's true to. However, smaller data transgression are less news-worthy than the larger ones. So, the ones I have reported on typically come from the tech giants. I've reported them as I've seen them. If I've reported more about Microsoft than others it's because there have been more news-worthy topics which have involved Microsoft's practices - which isn't surprising considering all the debacles with Windows where Microsoft broke new ground by making an OS a data-harvesting monster, getting caught be regulators around the world for breaking rules or instigating investigations, being caught lying in their PR about what they collect, etc.

 

Microsoft is mentioned in the OP of this thread because Microsoft said something about the CCPA rules. I didn't see other tech giants making comments of their own when I posted the thread. Moose looks for conspiracies where there are none.

It is worth remembering I guess that tech businesses are businesses first.  Tech is just what they do.